Computer-based activities are now subject to electronic vandalism. A vandal, who is sometimes called a hacker in this context, may attempt to intrude upon a computer system in order to steal information in an act of industrial espionage, or to impede the operation of the computer by implanting a virus or by flooding the computer with bogus information, or to alter records to the detriment or the benefit of another party's interests or reputation.
Computers are often protected against hackers' intrusions by intrusion detection systems. An intrusion detection system monitors the activities on networks for particular events or patterns of events generally known as signatures. A signature is a set of events and transition functions that define a sequence of actions that constitute misuse or unauthorized use of the computer. For example, a misuse engine that relies upon signature monitoring is described in detail in U.S. Pat. No. 5,557,742.
More specifically, a signature may include a signature event such as stating occurrence of a particular pattern of bits, for example the pattern of bits that identifies logon-password failure. Associated with a signature event there may be a signature event counter for counting the number of times the signature event occurs. Associated with the signature event and the signature event counter there may be a signature threshold that differentiates between attempted intrusions and uneventful occurrences of the signature event. For example, the signature event may be required to occur J times in K minutes before an intrusion is suspected. Thus, the signature event “logon-password failure” may be judged to be suggestive of an intrusion when the signature event occurs more than five times in twenty minutes.
When the intrusion detection system observes activity that is suggestive of an intrusion, a system administrator may attempt to minimize the damage done by the intruder. For example, the occurrence of more than five logon-password failures for a given computer account over a twenty-minute interval of time may be a sign that an unauthorized party is attempting to gain access to that account by guessing passwords. To block this attempt at unauthorized access, the system administrator may lock the account under attack, or cause the account to be locked, and block the network access from the unauthorized party to the targeted account on the particular computer system.
Although today's intrusion detection systems provide a useful degree of protection, their effectiveness is limited by the static nature of the signature events and signature thresholds at their disposal, and the lack of state-transition knowledge that constitutes historical context. Once a signature event associated with an intrusion has been defined and a signature threshold set, broader circumstances and historical knowledge surrounding any attempted intrusion are not taken into account. As a result, the effectiveness of the intrusion detection system is significantly limited. This is unfortunate, because hackers' intrusions may have serious commercial or social consequences. Thus there is a need to improve intrusion detection systems so that they may use the best available information, taking into account historical knowledge and other circumstances that surround evidence of attempted intrusions, in order to provide the best attainable protection against intruding vandals.